OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: RE: New FW architecture? (was RE: Time for

RE: New FW architecture? (was RE: Time for a new FWTK?)


Ted Doty (tediss.net)
Tue, 02 Dec 1997 09:19:13 -0500


At 03:57 PM 12/1/97 -0500, Stout, William wrote:

>I believe this is natural evolution of the firewall architecture (Note
>that I did not say proxy server). IMNSO - It's inane to force all the
>possible protocol filtering requirements of a corporation onto one box,
>especially if one user exposes the entire corporation to a new unproven
>protocol.

[lots of interesting ideas deleted]

It's important to keep our eyes on the problem. The external problem is
lack of accountability combined with the lack of any mechanism to (legally)
enforce your policy goals. This is why we focus on prevention, because
it's so dang hard to prosecute.

The internal problem is different. These people work for us. There are
actions we can take if we see someone straying from the bounds set by
policy (at least in theory). My gut feel is that proper monitoring,
combined with education (i.e. letting people know that you know what's
happening) is a moderately good deterrent.

- Ted

--------------------------------------------------------------
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East | Fax: +1 770 395 1972
Atlanta, GA 30346 USA | Web: http://www.iss.net
--------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE



This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:09:54 CDT